The Fully Networked Car Geneva, 3-4 March 2010 Security risk analysis approach for on-board vehicle networks 1 Alastair Ruddle Consultant, MIRA Limited

The Fully Networked Car Geneva, 3-4 March Motivation o Future vehicles will become mobile nodes in a dynamic transport network vehicle systems will be under threat from malicious individuals and groups seeking to gain personal or organizational advantage ensuring security will be critical for the successful deployment of V2X technology o EU project EVITA aims to prototype a toolkit of techniques and components to ensure the security of in-vehicle systems hardware, software, analysis methods

The Fully Networked Car Geneva, 3-4 March 2010 EVITA scope and assets 3 EVITA only aims to investigate network security solutions at vehicle level Different levels of security protection are envisaged, depending on need Some assets may not require security measures (low risk) Risk analysis aims to prioritize security requirements

The Fully Networked Car Geneva, 3-4 March 2010 EVITA project security risk analysis rationale o Too costly to protect against every threat, so need to rank risks in order to prioritize countermeasures o Risk associated with a security attack depends on: severity of impact (ie. harm to stakeholders) drivers, other road users, civil authorities, ITS operators, vehicle manufacturers and system suppliers probability of successful attack depends on attacker resources, nature of attack o Physical safety is a key aspect of security physical harm may be an objective of an attack harm may also be an unintended consequence 4

The Fully Networked Car Geneva, 3-4 March 2010 Starting point – EVITA Use Cases 5 Powertrain PTC Body Electronic BEM Diagnosis Interface Hybrid Drive Engine Control Bluetooth USB Communication Unit CU Transmission Chassis & Safety CSC Chassis / Steering Brake Control Environmental Sensors Passive Safety Airbag Door Modules Instrument Light Control Display / Video Audio Navigation Head Unit HU Mobile Device In-vehicle network structure PT Sensors Chassis Sensors e.g. Steer Angle GPS/Galileo UMTS DSRC Telephone Climate Seat ECU A suite of 18 potential use cases was defined, based on EASIS project network architecture Scenario classes: car-car car-infrastructure mobile devices aftermarket maintenance Assumed reference architecture

The Fully Networked Car Geneva, 3-4 March 2010 Security threat agents and their motivations o Dishonest drivers avoid financial obligations, gain traffic advantages; o Hackers gain/enhance reputation as a hacker; o Criminals and terrorists financial gain, harm or injury to individuals or groups; o Dishonest organisations driver profiling, industrial espionage, sabotage of competitor products; o Rogue states achieve economic harm to other societies 6

The Fully Networked Car Geneva, 3-4 March Threat analysis – Attack Trees Common model to map attack trees to risk analysis

The Fully Networked Car Geneva, 3-4 March 2010 Severity classification in vehicle safety engineering 8

The Fully Networked Car Geneva, 3-4 March 2010 Extending from safety to security 9

The Fully Networked Car Geneva, 3-4 March 2010 Severity classification of privacy infringements 10

The Fully Networked Car Geneva, 3-4 March 2010 Financial severity classification 11

The Fully Networked Car Geneva, 3-4 March 2010 Security severity classification – a 4-component vector 12

The Fully Networked Car Geneva, 3-4 March 2010 Attack potential and probability o Attack potential evaluation using established, structured approach from Common Criteria applied in EVITA at asset attack level of attack trees o Indicative of attack probability (inverse relationship) numerical scale used to represent relative ranking of attack probability 13

The Fully Networked Car Geneva, 3-4 March 2010 Possibility for the driver (and/or other traffic participants) to mitigate possible safety hazards Controllability – safety hazards 14

The Fully Networked Car Geneva, 3-4 March 2010 Risk graph (fragment only) 15 Non-safety aspects addressed with table for controllability C=1 (C>1 only for safety issues)

The Fully Networked Car Geneva, 3-4 March 2010 A compressed tabular attack tree representation provides a convenient framework for documenting the risk analysis Attack Objective Severity (S) Attack Method Risk level (R) Combined attack method probability (A) Asset (attack) Attack Probability (P) B SBSB B1 R B1 (S B, A B1 )A B1 =min{Pa,Pb} a & b Pa Pb B2 R B2 (S B, A B2 )A B2 =max{Pd,Pe,Pf} d Pd e Pe f Pf Attack tree tables for risk analysis 16 OR: as easy as the easiest option AND: as hard as the hardest component

The Fully Networked Car Geneva, 3-4 March 2010 Overview of EVITA attack trees o The 18 EVITA use cases suggested 10 attack trees: attack E-call, attack E-toll tamper with warnings, attack active break manipulate speed limits, force green light manipulate traffic flow, simulate traffic jam unauthorized braking, engine denial-of-service o These are representative, but not exhaustive o Rationalization of the attack trees revealed: 44 different asset attacks, involving 16 different assets o Risk analysis provides the means to assess the relative importance of protecting these assets 17

The Fully Networked Car Geneva, 3-4 March 2010 Risk-based prioritisation of counter-measures 18

The Fully Networked Car Geneva, 3-4 March Conclusions o A security risk analysis approach has been developed from automotive safety and IT security practices attack trees to identify asset attacks from use cases, attacker type and motivations 4-component security risk vector, potentially including security-related safety issues attack potential and controllability to assess probability of successful attack o Level and frequency of risks associated with asset attacks identified in attack trees indicate priorities for counter-measures

The Fully Networked Car Geneva, 3-4 March 2010 Acknowledgements 20 For further information see: